The Microsoft Entra Identity executing the command does not typically perform Run Commands on Azure VMs.
The execution of the Run Command is occurring outside of regular business hours.
Multiple instances of suspicious Run Command executions are detected within a short timeframe.
Run Commands are being executed anomalously across multiple VMs.
Possible Root Causes
Unauthorized Access: An attacker has gained access to a Microsoft Entra Identity and is using it to execute Run Commands on VMs without permission.
Misconfigured Permissions: A Microsoft Entra Identity has excessive privileges, allowing them to execute Run Commands on VMs they should not have access to.
Malware or Exploitation Tool: An attacker is using malware or tools to abuse the VM�s operating system, escalate privileges, and execute Run Commands.
Legitimate Administrative Action: A valid Microsoft Entra Identity is running a script to configure a new VM for production use, requiring Run Commands with elevated privileges.
Automated Deployment: A legitimate application is utilizing Azure�s Run Command feature to automate updates and patches for a VM or fleet of VMs.
Business Impact
Data loss or corruption due to unauthorized deletions.
Security breaches resulting from the exploitation of vulnerabilities or abuse of privileges.
Compliance issues due to non-adherence to security policies.
Downtime and revenue loss caused by malicious activity.
Steps to Verify
Review the actions taken by the Microsoft Entra Identity after the identified activity to assess potential risks.
Investigate the Microsoft Entra Identity executing the Run Command for any signs of unauthorized access or excessive privileges.
Analyze the parameters used in the Run Command to identify potential security risks, such as the deletion of sensitive data.
Verify if the suspicious Run Commands are occurring within regular business hours or if there are multiple instances within a short timeframe.
Ensure that the VM�s configuration and permissions align with organizational security policies.
Azure Suspicious VM Run Command Execution
Possible root causes
Malicious Detection
Benign Detection
Azure Suspicious VM Run Command Execution
Example scenarios
Azure Suspicious VM Run Command Execution
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Our interactive demo provides a deep dive into the advanced capabilities of our cybersecurity platform, showcasing real-time detection, comprehensive analysis, and proactive threat mitigation.
Don't just read about the possibilities – experience them.